Mutual authentication with Tomcat 7
I\'m trying to set up a Java web service running in Tomcat 7 to use mutual (2-way) authentication. It seems like no matter what I do, connecting to the service on the secur
-
It took me some time to get it working correctly using Openssl certificates, drafting my notes so that it may help others visiting this page.
Step 1: Create your own root CA
~/openssl$ mkdir -m 0700 /home/ubuntu/openssl/CA /home/ubuntu/openssl/CA/certs /home/ubuntu/openssl/CA/crl /home/ubuntu/openssl/CA/newcerts /home/ubuntu/openssl/CA/private ~/openssl$ touch /home/ubuntu/openssl/CA/indext.txt ~/openssl$ echo 1000 >> /home/ubuntu/openssl/CA/serial ~/openssl$ mv karun-tomcat-root-ca.key CA/private/ ~/openssl$ sudo vi /etc/openssl.cnf # Make changes here dir = /home/ubuntu/openssl/CA #optionally change policy definitions as well ~/openssl$ openssl genrsa -des3 -out karun-tomcat-root-ca.key 2048 #In below command make sure to use CN=~/openssl$ openssl req -new -x509 -days 36520 -key karun-tomcat-root-ca.key -out karun-tomcat-root-ca.crt -config openssl.cnf ~$ sudo cp ~/openssl/CA/certs/karun-tomcat-root-ca.crt /usr/share/ca-certificates/ # make sure in the UI you enable/select the certificate created above ~$ sudo dpkg-reconfigure ca-certificates # Now reboot ubuntu machine just to make sure certificates are loaded successfully and tomcat picks it Step 2: Create Tomcat Server's Key Pair
~$ openssl genrsa -out tomcat-server.key 2048 # Use common name =, department = Tomcat Server CSR ~$ openssl req -new -sha256 -config ~/openssl/openssl.cnf -key tomcat-server.key -out tomcat-server.csr ~$ openssl x509 -req -sha256 -days 36520 -in tomcat-server.csr -signkey tomcat-server.key -CA ~/openssl/CA/certs/karun-tomcat-root-ca.crt -CAkey ~/openssl/CA/private/karun-tomcat-root-ca.key -CAcreateserial -out tomcat-server.crt ~$ openssl pkcs12 -export -name karun-tomcat-server-cert -in tomcat-server.crt -out tomcat-server.p12 -inkey tomcat-server.key -CAfile ~/openssl/CA/certs/karun-tomcat-root-ca.crt -caname karun-root -chain ~$ keytool -importkeystore -destkeystore tomcat-server.jks -srckeystore tomcat-server.p12 -srcstoretype pkcs12 -alias karun-tomcat-server-cert ~$ keytool -import -alias karun-root -keystore tomcat-server.jks -trustcacerts -file ~/openssl/CA/certs/karun-tomcat-root-ca.crt # **(LATER)** Run this once client cert is generated ~$ keytool -importkeystore -alias karun-tomcat-client-cert -srckeystore ~/client-certs/tomcat-client.p12 -srcstoretype PKCS12 -destkeystore tomcat-server.jks -deststoretype JKS # **(LATER)** Run this once tomcat server started successfully ~$ openssl s_client -connect localhost:8443 -cert ~/client-certs/tomcat-client.crt -key ~/client-certs/tomcat-client.key -debug -showcerts Step 3: Create Client Side Key Pair
~$ openssl genrsa -out tomcat-client.key 2048 # Use common name =Step 4: Tomcat Changes
# Make this change in server.xml of tomcat serverStep 5: Restart Tomcat Server && check logs to ensure no errors at bootup
Step 6: Upload Client cert to browser
In your browser, eg: firefox, navigate Preferences -> Advanced -> Certificate -> View Certificates -> Your Certificates
Import "tomcat-client.p12"
https://:8443/ References
http://pages.cs.wisc.edu/~zmiller/ca-howto/
http://www.area536.com/projects/be-your-own-certificate-authority-with-openssl/
加载中...
- 热议问题